What businesses need to know about the Cyber Security and Resilience Bill


The UK government last week announced a new Cyber Security and Resilience Bill, among 40 new pieces of legislation. But what does the Bill set out to do, and how should businesses prepare for it?

Last Friday (19 July), businesses and services all around the world were thrown into chaos by what’s thought to be the largest-scale IT blackout in history. Thousands of flights were cancelled, and countless businesses impacted within banking, broadcasting, healthcare and payment systems, with GPs struggling to access records, and pharmacies unable to access prescriptions.

Work is ongoing to reboot systems and resolve issues caused by the outage, which came about due to a corrupted software update being sent out by cybersecurity firm CrowdStrike to huge numbers of customers. The error led to systems crashing all over the world, affecting a wide range of industries and sectors.

Microsoft estimated that around 8.5m computer systems were disabled, marking the first time a figure has been put on a cyber incident. It’s believed to be the largest cyber-event the world has experienced, eclipsing all previous hacks and outages.

How could a software bug wreak havoc on this scale?

Although there’s been no suggestion that this was the result of a cyberattack, a glitch of this scale serves as a poignant reminder of how reliant the world has become on devices that are managed remotely, by major tech companies.

Systems that provide us with access to medicines, finance, travel and other critical services are built upon interconnected platforms that are under increasing threat from cyber-attacks or malware. While software errors or faults can arise from no ill-intent, they can significantly compromise the security of applications and systems, because they allow malicious actors to exploit vulnerabilities.

The outage from last week has prompted warnings by cyber-security experts of opportunistic hacking attempts linked to the blackout. David Weston, vice-president at Crowdstrike said in a blog post, “We know that adversaries and bad actors will try to exploit events like this… Whenever there is a major news event, especially one linked to technology, hackers respond by tweaking their existing methods to take into account the fear and uncertainty.”

How concerned should we be about cyberattacks?

Cyberattacks are growing increasingly sophisticated and frequent, and have the potential to cause significant damage. They can cause massive financial losses to businesses, governments, and individuals. Ransomware attacks, in particular, can paralyse operations and result in hefty ransom payments and recovery costs.

Personal and sensitive information, including financial data, health records, and intellectual property, can be stolen, while state-sponsored cyberattacks can target critical infrastructure such as power grids, water supplies, and transportation systems.

What’s more, cybercriminals are constantly evolving their tactics, employing advanced techniques such as AI and machine learning to carry out more sophisticated and harder-to-detect attacks.

In efforts to tackle this, the UK government’s new Cyber Security and Resilience Bill aims to bolster the country’s defences, and ensure that businesses and public services can withstand and recover from all kinds of cyber-incidents. 

Here’s a closer look at what UK businesses need to know about this pivotal bill…

Key aspects of the Cyber Security and Resilience Bill

Incident reporting and response

One of the critical components of the bill is the requirement for businesses to report cyber incidents promptly. This includes breaches of personal data, disruptions to business operations, and other significant cybersecurity events. The goal is to ensure swift action and collaboration between businesses and governmental agencies to mitigate the impact of such incidents.

Enhanced regulatory framework

The bill introduces a comprehensive regulatory framework designed to enforce stringent cybersecurity measures across various sectors. This framework includes mandatory compliance with established cybersecurity standards and practices. Ultimately, businesses will need to demonstrate their adherence to these standards through regular audits and reporting.

Supply chain security

Recognising that vulnerabilities often originate from third-party suppliers, the bill emphasises the importance of securing the entire supply chain. Businesses will be required to vet their suppliers’ cybersecurity measures and ensure that any third-party service providers comply with the same stringent standards imposed on the primary business.

Critical infrastructure protection

For businesses operating in critical infrastructure sectors, such as energy, transportation, and healthcare, the bill mandates additional security measures. These businesses must implement robust cybersecurity protocols to protect essential services from cyber threats. Failure to do so could result in severe penalties and sanctions.

Employee training and awareness

The bill underscores the importance of human factors in cybersecurity. Businesses will need to invest in regular training and awareness programs for their employees. This includes educating staff about phishing attacks, secure handling of sensitive information, and the importance of following established cybersecurity protocols.

Resilience and recovery plans

Beyond prevention, the bill mandates that businesses develop and maintain comprehensive resilience and recovery plans. These plans should detail how businesses will respond to and recover from cyber incidents, ensuring minimal disruption to operations and swift restoration of services.

What are the implications for UK businesses?

1.  Increased compliance costs: Complying with the new regulations will inevitably involve costs. Businesses may need to invest in new technologies, hire cybersecurity experts, and conduct regular training sessions. However, these costs should be viewed as essential investments in the long-term security and stability of the business.

2. Heightened accountability: With mandatory reporting and stringent regulatory oversight, businesses will face increased accountability for their cybersecurity practices. Senior management and board members will need to be actively involved in overseeing cybersecurity measures and ensuring compliance.

3. Improved security posture: While the bill imposes new responsibilities, it also offers an opportunity for businesses to enhance their security posture. By adhering to best practices and implementing robust cybersecurity measures, businesses can protect themselves against a wide range of cyber threats and minimize the risk of costly data breaches.

4. Reputation management: Demonstrating compliance with the Cyber Security and Resilience Bill can enhance a business’s reputation. Customers, partners, and stakeholders are increasingly aware of cybersecurity issues, and businesses that prioritize security are likely to gain a competitive advantage.

5. Collaboration with government agencies: The bill encourages closer collaboration between businesses and government agencies. This partnership is crucial in the fight against cybercrime, as it enables the sharing of threat intelligence and best practices, ultimately strengthening the overall security landscape.

For businesses, the Cyber Security and Resilience Bill brings both challenges and opportunities. While compliance may require substantial effort and investment, the benefits of a robust cybersecurity posture far outweigh the costs.  By taking proactive steps to align with the new regulations, UK businesses can not only protect themselves from cyber threats but also build trust and confidence among their customers and stakeholders.

Our upcoming programme: Advancing Aviation

Anchored by journalist Sharon Thomas, from ITN’s London Studios, Advancing Aviation will dive into the latest economic trends, policies and investments shaping the sector; how technology and innovation is driving change for the sector, from cutting-edge aircraft design to revolutionary advancements in air traffic management.

Our programme will explore sustainability and the industry’s ambitions towards net-zero and how the dynamic and diverse workforce of professionals, innovators and visionaries is essential to the industry’s success.


 

Comments